Threshold and Proactive Pseudo-Random Permutations⋆

Threshold and Proactive Pseudo-Random Permutations? Yevgeniy Dodis1?? , Aleksandr Yampolskiy2? ? ? , and Moti Yung3 1

3

New York University, Department of Computer Science, 251 Mercer Street, New York, NY 10012, USA, [email protected] 2 Yale University, Department of Computer Science, 51 Prospect Street, New Haven, CT 06520, USA, [email protected] RSA Laboratories and Columbia University, Department of Computer Science, 1214 Amsterdam Avenue, New York, NY 10027, USA, [email protected]

Abstract. We construct a reasonably efficient threshold and proactive pseudo-random permutation (PRP). Our protocol needs only O(1) communication rounds. It tolerates up to (n − 1)/2 of n dishonest servers in the semi-honest environment. Many protocols that use PRPs (e.g., a CBC block cipher mode) can now be translated into the distributed setting. Our main technique for constructing invertible threshold PRPs is a distributed Luby-Rackoff construction where both the secret keys and the input are shared among the servers. We also present protocols for obliviously computing pseudo-random functions by Naor-Reingold [37] and Dodis-Yampolskiy [24] with shared input and keys. Key words. Distributed Block Ciphers, Distributed Luby-Rackoff Construction, Oblivious Pseudo-Random Functions, Threshold Cryptography.

1

Introduction

Block ciphers are familiar cryptographic tools, which transform blocks of plaintext into blocks of ciphertext of the same length. The DES (U.S. Data Encryption Standard) is a well-known example of a block cipher, which was, until recently, used by many financial firms to protect online transactions. Traditionally, pseudo-random permutations (PRPs) have been used to model secure block ciphers [33]. They map l-bit inputs into unique l-bit outputs that appear random to parties who lack the secret key. A close relative of the PRP is a ?

?? ???

An extended abstract of this paper is to appear in the proceedings of the Third Theory of Cryptography Conference (TCC 2006). Supported in part by NSF career award CCR-0133806 and NSF grant CCR-0311095. Supported by NSF grants CCR-0098078,ANI-0207399,CNS-0305258, and CNS0435201.

pseudo-random function (PRF), which needs not be invertible, but whose outputs also look like random bit-strings without the secret key [27]. Motivation. The security of these functions relies on the owner of the secret key, who has a primary responsibility of keeping the key safe. Alas, it is not always realistic to put all trust into a single party. The area of threshold cryptography deals exclusively with sharing the ability to perform cryptographic operations between a set of n servers [20]. A long line of research produced many distributed protocols that are more efficient than generic multi-party solutions when used for public key encryption [17, 40, 41], digital signatures [19, 21, 22, 26], key generation [1, 8, 25], pseudo-random functions [10, 36, 38], and other applications. The extra security and increased availability of constructions justify the added complexity. The pseudo-random permutation is the only primitive that is still missing from this long list. Several initial attempts [9, 34] gave a very basic sharing structure with many limitations and drawbacks.4 The question of constructing a threshold PRP was yet left open. In this paper, we resolve this problem. Many protocols are defined for PRPs (block ciphers) and, when needed, can now be readily translated into the distributed setting. This makes sense for sensitive operations like keyencrypting-key in the Key Distribution Center [36]. Applications such as distributed remotely keyed authenticated encryption and CBC encryption mode become possible, since they require a PRP as a building block (regular PRFs do not suffice). We focus on implementing the Luby-Rackoff construction [33] as a method for building PRPs. It uses the Feistel permutation for function F (denoted F¯ ), which sends a 2l-bit string (xL , xR ) to a 2l-bit string (xR , xL ⊕ F (xR )). Luby and Rackoff showed that a composition of four Feistel permutations (denoted Ψ (F1 , F2 , F3 , F4 ) = F¯1 ◦ · · · ◦ F¯4 ) is a secure 2l-bit PRP when Fi are independent l-bit PRFs. While a sequential composition of PRFs to build a sequential PRP is generic, there is a major technical difficulty in the distributed Luby-Rackoff construction. Particularly, the difficult part is that if one uses a PRF as an intermediate round function, then not just the secret key, but also the output needs to be kept distributed to assure the security of the entire Luby-Rackoff construction. At the same time, the computation needs to continue and compute on these shares, which means that we need to compute on shared inputs as well. Our Results. This paper describes an O(1) round distributed protocol for evaluating Ψ (F1 , F2 , F3 , F4 ), which results in a threshold pseudo-random permutation. Our protocol invokes the multiplication protocol for the underlying secret sharing scheme O(mn + m log m) times, where n is the number of servers and m is the maximum input length. It tolerates up to τ = b(n − 1)/2c dishonest 4

They showed how to build rather inefficient cascade ciphers Ek (x) = gkm (. . . gk2 (gk1 (x))), where g(·) is itself a secure cipher, by sharing a sequence of keys in a special way. For ` ´τ -out-of-n sharing, the number of keys and composition layers is on the order of nτ , which is exponential for most τ = ω(1).

servers in the semi-honest model, which is consistent with some prior work on distributed PRFs [36] and multiparty tools [1, 12, 15] used in our constructions. It can be made robust using standard techniques [42] and, as we show, can be amended to ensure proactive security [31]. As we have explained, intermediate Feistel values arising after each round of the Luby-Rackoff construction must be kept secret, yet we must evaluate the PRFs Fi on them. Unfortunately, prior distributed PRF constructions [10,36,38] are inapplicable to our problem, because they require the PRF input to be publicly known. We give two protocols for distributed computation of PRFs by Naor-Reingold [37] and Dodis-Yampolskiy [24] when both the secret keys and the input are shared among the servers. Effectively, we implement oblivious distributed PRFs, where servers do not learn what the input is, yet blindly compute the PRF value. We note that, theoretically, we can always use general multi-party techniques [5] to distribute the computation of a PRP. Until recently, this was not a viable option. These techniques either (i) required a linear number of communication rounds (in the circuit depth) [5, 44] or (ii) ran in O(1) rounds but used expensive zero-knowledge proofs for each gate of the circuit [4]. A recent improvement by Damg˚ ard et al. [16] allows to securely evaluate any circuit C in O(1) rounds using O(|C|n) cryptographic operations (|C| is the circuit size). If we distribute the DES circuit (which is believed to be a PRP) using Damg˚ ard et al.’s techniques, we obtain comparable efficiency to our threshold PRP.5 Our protocol is thus fairly practical. In addition, it has theoretical value in and of itself and could be of independent interest in other fields. Overview of Our Construction. In our protocol, servers hold Shamir shares [43] of secret keys SKi to PRFs Fi used in the Luby-Rackoff (LR) construction of a PRP Ψ (F1 , F2 , F3 , F4 ). The untrusted user who wants to compute the PRP’s value broadcasts his input x to the servers. Servers somehow verify that the user is entitled to evaluate the PRP and engage in an interactive protocol, which terminates with shares of the PRP’s value. Our round functions Fi are based on a PRF by Dodis-Yampolskiy [24]. We chose this PRF because it possesses useful algebraic properties and can be computed in O(1) rounds. Given an l-bit input x = x1 x2 . . . xl (which can be viewed as an element of ZQ ) and a secret key SK ∈ ZQ , the PRF value is FSK (x) = g 1/(x+SK) . Here, g is the generator of a group in which the decisional Diffie-Hellman inversion (y-DDHI) problem is hard. The y-DDHI problem y asks: “given (g, g x , . . . , g (x ) , R) as input, to decide whether R = g 1/x or not.” It appears hard in a quadratic residues subgroup GQ of Z∗P (P = 2Q + 1) for sufficiently large primes P, Q. 5

In fact, for realistic settings, our algorithm performs better. The full DES circuit contains about |C| ≈ 16000 Boolean gates [6]. Let the group size be a m = 1024 bit prime and the number of servers be n = 100. Our protocol performs roughly (mn + m log m) · (m2 n + mn2 log n) ≈ 1.95 × 1013 bit operations, while Damg˚ ard et al.’s protocol [16] performs (|C|n) · (mn2 log n) ≈ 10.9 × 1013 operations to compute the DES circuit.

Dodis and Yampolskiy showed that FSK (·) is secure only for inputs of small length l = ω(log k), which makes it unsuitable for the LR construction, whose round functions must accept longer l = Θ(k) bit inputs (k is the security parameter). In this paper, we assume subexponential hardness of the y-DDHI problem. This immediately allows us to support inputs of size a = Θ(k δ ) for some small δ ≈ 1/3. We can shrink the input to the LR construction from l = Θ(k) bits down to a = Θ(k δ ) bits using an -universal hash function hi (x) = (ix mod Q) mod 2a . 0 We thus get a new PRF Fi,SK (x) = FSK (hi (x)), which can be used in the (centralized) LR construction. We distribute the LR construction using well-known multiparty tools of addition, multiplication, inversion, etc. [1, 3, 5]. We rely heavily on an O(1) round protocol by Damg˚ ard et al. [15], which computes shares of bits of x ∈ ZP from shares of x. This protocol allows us to efficiently perform modular reduction, exponentiation, and truncation of shared values. 0 (x) with shared input x and keys (i, SK) as We can compute the PRF Fi,SK follows. Computing the -universal hash hi (x) = (ix mod Q) mod 2a amounts to a single multiparty multiplication, followed by a call to Damg˚ ard et al.’s protocol to extract the trailing a bits. We can also distribute the computation of FSK (x) = g 1/(x+SK) because it is well-known how to do multiparty addition, 0 (x), inversion, and exponentiation. As a result, we obtain a sharing of Fi,SK a random group element in GQ , whereas we need a sharing of a random l-bit string. We can use a deterministic extractor E(x) = (x(P +1)/4 mod P ) mod 2l to convert this group element into a random l-bit string. Computing this extractor distributively entails a single distributed exponentiation followed by a call to Damgard et al.’s protocol to extract l bits. 0 (·), we can distribute a Armed with a protocol for computing the PRF Fi,SK L R 0 (xR )). The single Feistel permutation, which maps (x , x ) into (xR , xL ⊕ Fi,SK only missing link is how to XOR shares of PRF’s bits with shares of input’s bits. Given shares of bits b1 , b2 ∈ {0, 1}, we can get a share of b1 ⊕ b2 by distributively computing (b1 + b2 ) · (2 − (b1 + b2 )). This completes our calculation. We obtain a threshold PRP by iterating the distributed Feistel permutation four times, cross-feeding its outputs to inputs. Paper Organization. The remainder of the paper is organized as follows. Section 2 reviews some preliminaries and defines our system model. In Section 3, we give distributed protocols for evaluating pseudo-random functions by Naor-Reingold [37] and Dodis-Yampolskiy [24] when both the keys and the input are shared. Then in Section 4, we present our threshold PRP construction. In Section 5, we describe a distributed exponentiation protocol, which is used throughout the paper. Some practical applications of our threshold PRP appear in Section 6. We conclude in Section 7.

2

Preliminaries

In this section, we discuss some basic definitions and assumptions.

2.1

Our Model

Let k be a security parameter. We consider n computationally bounded servers P1 , . . . , Pn , which are connected by secure and authentic channels6 . Our protocols are secure against a static, honest-but-curious adversary who controls up to τ = b(n − 1)/2c servers. This threshold results from the multiplication protocol by Ben-Or et al. [5], which is used throughout the paper. We prove security in the framework by Canetti [11]. In the honest-but-curious setting, privacy is preserved under non-concurrent modular composition of protocols. This composition theorem will be the main source of our privacy proofs. 2.2

Notation

The notation in this paper is adapted from [1, 15]. We define ZP as the set {0, . . . , P − 1}. We denote additive shares over ZP of a value a ∈ ZP by Pn P P , . . . , hai ∈ Z ; i.e., a = hai haiP P n 1 j mod P . Meanwhile, we denote Shamir j=1 Pτ P P P shares [43] of a ∈ ZP by [a]1 , . . . , [a]n ∈ ZP ; i.e., a = j=1 λj [a]j mod P , where τ is the threshold and λj are the Lagrange coefficients. P We denote protocols as follows: the term [a]P j ← PROTOCOL([b]j , c) means P that server Pj executes the protocol PROTOCOL with local input [b]j and public input c. As a result of the protocol, it gets back local output [a]P j . In all cases, the local inputs and outputs will be Shamir shares over the appropriate field. 2.3

Building Blocks

We review some standard tools for multiparty computation that are used throughout the paper. All these protocols require O(1) rounds of communication. We measure their running time in terms of bit operations in m = dlog2 P e (the modulus length) and n (the number of servers). Below, we use B as a shorthand for O(nm2 + mn2 log n). Sharing a secret. To compute a Shamir sharing of x ∈ ZP over ZP , player Pj chooses coefficients αk ∈ ZP for k = 1, . . . , τ . He then sends [x]P i = Pτ random k x + k=1 αk · i mod P to player Pi . We denote this protocol by RANDSS(x, ZP ); it takes O(n2 m log n) bit operations. Basic operations. Addition and multiplication of a constant and a Shamir share can be done locally. Hence, [x]P j + c mod P is a polynomial share of x + c mod P and c · [x]P j mod P is a share of xc mod P . These operations take O(m) and P O(m2 ) bit operations, respectively. Similarly, we can compute [x]P j +[y]j mod P , which is a share of x + y mod P . Addition requires O(m) bit operations. 6

Such channels can be implemented using public-key encryption and digital signatures.

Multiplication. We note that a product of polynomially many shared secrets x1 , . . . , xs ∈ Z∗P can be computed in constant rounds [3, 15]. We denote this P protocol by MUL([x1 ]P j , . . . , [xs ]j ); it uses O(sB) bit operations. Conversion between bit shares. Given Shamir shares of a single bit b ∈ {0, 1} in ZP , we may need to obtain its shares in ZQ . We can do this as follows. P First, each server Pj locally computes [b0 ]P j ← −2 · [b]j + 1 (mod P ) to convert the bit from a 0/1 to a 1/ − 1 encoding. Next, Pj chooses a random bj ∈ {1, −1} and shares it among servers in both ZP and ZQ . He computes [b00 ]P j ← P P 00 MUL([b0 ]P , [b ] , . . . , [b ] ) and reveals it for all servers to reconstruct b . Finally, 1 j n j j Q Pj multiplies b00 (mod Q) by its share of MUL([b1 ]Q j , . . . , [bn ]j ) and converts the result to a 0/1 encoding. The protocol requires O(1) rounds and O(nB) bit operations. Bit representation. Let x ∈ ZP be a shared secret (written xm . . . x1 in binary). In some situations, we will need to obtain Shamir shares of the bits of x. For P this, we will use a protocol by Damg˚ ard et al. [15], denoted ([x1 ]P j , . . . , [xm ]j ) ← P BITS([x]j ), which uses O((m log m)B) bit operations. Occasionally, we will need to compute shares of a least significant bits of x ∈ ZP in ZQ (rather than in ZP ). We will first run the BITS([x]P j ) protocol and then convert each bit share from ZP to ZQ . We denote this protocol by Q P ([x1 ]Q j , . . . , [xa ]j ) ← BITS([x]j , a, ZQ ). It requires O(1) rounds and O((an + m log m)B) bit operations. P Given bit-by-bit shares of x ∈ ZP , denoted [x1 ]P j , . . . , [xm ]j , we can easily Pm i−1 P · [xi ]P obtain shares of x by locally computing [x]j ← i=1 2 j mod P . This 3 takes O(m ) bit operations. Inversion. Let x ∈ ZP be a shared secret. A protocol due to Bar-Ilan and −1 mod P . Beaver [3], denoted by INV([x]P j ), allows us to compute the shares of x It takes an expected number of O(B) bit operations. Generating a random number. Occasionally, servers may need to jointly generate shares of a random number. A simple protocol, denoted JRP(ZP ), accomplishes this in O(mn2 log n) bit operations [1]. There also exists a protocol JRPZ(ZP ) to jointly compute a sharing of zero modulo P in O(mn2 log n) bit operations. Exponentiation Some of our protocols require computing the shares of xy mod P when: (i) the exponent y ∈ ZQ is shared, but the base is fixed; (ii) the base x ∈ ZP is shared and the exponent is fixed; or (iii) both the base and the exponent are P shared. We denote protocols for the above scenarios EXP1 (x, [y]Q j ), EXP2 ([x]j , y), Q and EXP([x]P j , [y]j ). These protocols run in O(1) rounds and require, respectively, O((mn + m log m)B), O(m3 + nB), and O(m4 + (mn + m log m)B) bit operations per player. We describe them later in Section 5.

3

Distributed Pseudo-Random Functions

In this section, we describe two distributed PRF constructions, where both the secret key and the input are shared. This will ensure that unscrupulous servers do not learn the results of intermediate Luby-Rackoff computations. In Section 3.1, we show how to do this for the PRF by Naor and Reingold [37]. Then in Section 3.2, we describe how to do this for the recently introduced PRF by Dodis and Yampolskiy [24]. Let the input size l : N 7→ N be a function computable in poly(k) time. Sometimes, for simplicity, we will write l for l(k). The initial input for all servers is a triple (P, Q, g), where P, Q are large primes such that P = 2Q + 1 and P ≡ 3 mod 4. Here g is a generator of quadratic residues subgroup GQ of Z∗P . The group Z∗P must be sufficiently large, i.e., P  2k . Such a triple can be publicly chosen without a trusted party by executing Bach’s algorithm [2]. Both centralized PRFs take as input an l-bit message x, the secret key SK and output a random group element in GQ . In our distributed PRFs, each server Pj receives a share of the secret key SK and l shares of bits of x.

3.1

Naor-Reingold PRF

The secret key SK = (a0 , a1 , . . . , al ) consists of l + 1 random exponents in ZQ . NR : {0, 1}l 7→ GQ is defined as Given an l-bit input x = x1 . . . xl , the PRF FSK Q

NR FSK (x) = (g a0 )

i : xi =1

ai

.

This PRF was shown to be secure for polynomially sized inputs, l(k) = poly(k), under the decisional Diffie-Hellman (DDH) assumption: “given (g, g x , g y ) and R ∈ GQ , it is hard to determine if R = g xy or not.” We can compute the PRF value recursively. Set h0 = g a0 . Then, for all i = 1, . . . , l,  ai hi−1 if xi = 1, hi = (1) hi−1 otherwise. It is easily seen that the PRF value must be equal to hl . This form is convenient for distributed computation when both the input x and the secret exponents ai are shared. One problem here is that we need to implement an if-condition on secret input x. We can use a simple trick and rewrite Equation (1) as i hi = hi−1 (1 − xi ) + hai−1 xi for xi ∈ {0, 1}.

(2)

Computing the PRF value distributively amounts to several rounds of distributed multiplication and exponentiation:

Q P P Algorithm 1: A protocol PRF-NR(([a0 ]Q j , . . . , [al ]j ), ([x1 ]j , . . . , [xl ]j )) for NR distributed computation of FSK (x). 1 2 3 4 5 6 7 8 9 10

[0]P BServers jointly generate a sharing of 0 mod P j ← JRPZ(ZP ) P [h0 ]P ← [0] + g mod P BAnd compute a share of generator g. j j for i ← 1 to l BFor all input bits i, do P P [r]P j ← MUL([hi−1 ]j , 1 − [xi ]j ) Q P [s]P j ← EXP([hi−1 ]j , [ai ]j ) P P P [t]j ← MUL([s]j , [xi ]j ) Bwe compute shares of Equation (2) P P P [hi ]j ← [r]j + [t]j end BReturn a share of the PRF value. return [hl ]P j

Proving security of this protocol is straightforward given the security of its sub-protocols by the composition theorem. The size of the secret key is proportional to the length of the input. What is worse, this protocol requires O(l) rounds of communication. The running time is dominated by l calls to exponentiation protocol in line 6, yielding O(m4 l + (mn + m log m)Bl). bit operations per player. 3.2

Dodis-Yampolskiy PRF

DY : {0, 1}l(k) 7→ GQ (|Q| > l) is as follows. The pseudo-random function FSK Given an l-bit input x (which can also be thought of as an element in ZQ ) and DY the secret key SK ∈ ZQ , the function value is FSK (x) = g 1/(x+SK) [24]. DodisYampolskiy’s proof of security relied on an unorthodox q-decisional Diffie-
q Hellman inversion (q-DDHI) assumption: “given the tuple g, g x , . . . , g (x ) and R ∈ GQ as input, it is hard to decide whether R = g 1/x or not.” Specifically, they showed:

Theorem 1 (Dodis-Yampolskiy). Suppose an attacker who runs for s(k) steps cannot break the 2l(k) -DDHI assumption in group GQ with advantage (k). Then no algorithm running in less than s0 (k) = s(k)/(2l(k) · poly(k)) steps can DY distinguish FSK (·) from a random function with advantage 0 (k) = (k) · 2l(k) . Because the security reduction is rather loose, we can construct PRFs only with small superlogarithmic input l(k) = ω(log k). Unfortunately, “as is” this PRF is unsuitable for use in the Feistel transformation. A Feistel transformation uses length-preserving PRFs which map l(k) = poly(k) input bits to l(k) pseudo-random bits. In theory, small inputs are not a problem. We can either (1) shrink the inputs using a collision-resistant hash function [14] or (2) utilize the generic tree construction [27] to extend the input range. However, when we need to distribute the computation of this PRF between different servers, neither of these options becomes acceptable. As of today, we do not know how to

efficiently distribute collision-resistant hash functions. And if we decide to utilize the generic tree construction, then we might as well use the Naor-Reingold PRF from the start. Instead, we assume subexponential hardness of the q-DDHI assumption in GQ ; that is, we suppose that there is no way to break the q-DDHI assumption except by computing the discrete logarithm of g x in Z∗P . The fastest algorithm for computing discrete logarithms modulo P runs in time roughly exp((1+o(1))· √ √ log P log log P ) [13]. It seems reasonable to assume that no algorithm running 2 in time less than s(k) = 2k (for some small 2 ≈ 13 ) can break the q-DDHI assumption. Formally: Definition 1 (strong DDHI assumption). We say that the strong DDHI assumption holds in GQ if there exist 0 < 1 < 2 such that for all probabilistic 2 1 families of Turing machines {Ak }k∈N with running time O(2k ) and q ≤ 2k , we have: h i q Pr Ak (g, g x , . . . , g (x ) , R) = 1 | R ← g 1/x − x h i q 2 $ Pr Ak (g, g x , . . . , g (x ) , R) = 1 | R ← GQ ≤ poly(k)/2k , x

where the probability is taken over the coin tosses of Ak and the random choice of x ∈ Z∗Q and R ∈ GQ . By Theorem 1, the strong DDHI assumption immediately allows us to support inputs of size k 1 for small 1 > 0. What we need is a shrinking hash function, which maps long l(k) = k bit DY (·). inputs to smaller a(k) = k 1 bit inputs, which can be used as an input to FSK A typical tool used for this purpose is a family of δ-universal hash functions H = {hi : {0, 1}l 7→ {0, 1}a }i ∈ Z∗Q .7 The simplest such construct is hi (x) = (ix mod Q) mod 2a , 1

where the collision probability δ = 1/2a = 1/2k is the best we can hope for. We can thus define a new function F 0 : {0, 1}l 7→ GQ as 0 DY FSK,i (x) = FSK (hi (x)),

which is easily seen to be a secure PRF for polynomially sized inputs using a standard hybrid argument. This new PRF can be used in the Feistel transformation. We now describe how to distribute its computation: 7

We say that a hash family is δ-universal if, for all distinct inputs x, x0 ∈ {0, 1}l , we have Pri [hi (x) = hi (x0 )] ≤ δ.

Q Q Q Algorithm 2: A protocol PRF-DY([i]Q j , [SK]j , [x1 ]j , . . . , [xl ]j )

1 2 3 4 5 6 7 8 9

Pl−1 i Q [x]Q BEncode input x as an element in Z∗Q . j ← i=0 2 · [xi+1 ]j mod Q Q Q [r]Q BThen hash it to ix mod Q. j ← MUL([i]j , [x]j )  1/3  a← l BShrinking factor a = l1/3 . Q Q ([r1 ]Q j , . . . , [ra ]j ) ← BITS([r]j , a, ZQ ) BChop all but a least significant bits. Pa−1 i Q Q [˜ x]j ← i=0 2 · [ri+1 ]j mod Q Q [s]Q x]Q j ← [˜ j + [SK]j mod Q Q [t]Q j ← INV([s]j ) Q [y]P j ← EXP1 (g, [t]j ) return [y]pj

BA share of (˜ x + SK). BInvert the share into 1/(˜ x + SK). BExponentiate to get shares of g 1/(˜x+SK) .

The security of the protocol again follows by composition theorem from security of its subcomponents. Unlike Algorithm 1, this algorithm uses O(1) rounds of communication. However, it relies on a rather strong complexity assumption. Line 8 dominates the running time. It requires O((mn + m log m)B) bit operations, which is more than l times cheaper than the Naor-Reingold distributed protocol.

4

Distributed Pseudo-Random Permutations

We now show how to construct a threshold pseudo-random permutation by distributing the Luby-Rackoff construction. In principle, the Luby-Rackoff construction can be used with any PRF. However, we will use it with the PRF by Dodis-Yampolskiy [24], which allows us to evaluate the threshold PRP in only O(1) communication rounds. We begin by reviewing some formal definitions in Section 4.1. In Section 4.2, we show how to distribute a single Feistel permutation. In Section 4.3, we put all of the pieces together and explain how to distribute the entire Feistel cascade. Finally, in Section 4.4, we analyze our protocol’s security and sketch how to make it proactive. 4.1

Definitions

Definition 2 (Feistel transformation). Let F : {0, 1}l 7→ {0, 1}l be an lbit mapping. We denote by F¯ the permutation on {0, 1}2l defined as F¯ (x) = (xR , xL ⊕ F (xR )), where x = (xL , xR ). Note that F¯ is a permutation even if F is not. Its inverse is given by F¯ −1 (y L , y R ) = (f (y L ) ⊕ y R , y L ). Definition 3 (Feistel network). Let F1 , . . . , Fk : {0, 1}l 7→ {0, 1}l be l-bit mappings. Then a k-round Feistel network is a composition Ψ (F1 , . . . , Fk ) = F¯1 ◦ F¯2 · · · F¯k

l bits

x chopa (ix mod Q) a bits

~ x ~

g1/(SK+x ) log P bits

~ yGQ w ZP* chopk (y~ (P+1)/4 mod P) l bits

y

DY Fig. 1. Transformation of FSK (·) into a length-preserving PRF.

Theorem 2 (Luby-Rackoff ). The permutation Ψ (F1 , F2 , F3 , F4 ) on {0, 1}2l cannot be distinguished from a random permutation by a PPT adversary. Here, Fi are independently keyed pseudo-random functions. 4.2

Distributed Feistel Transformation

0 In Section 3.2, we defined a PRF acting on l(k) = poly(k) bit inputs by Fi,SK (x) = DY FSK (hi (x)). We also gave an O(1) round protocol PRF-DY that computes shares of a PRF value g 1/(hi (x)+SK) from shares of input’s bits and secret key. We now 0 show how to distribute the Feistel transformation Fi,SK , which maps (xL , xR ) 0 to (xR , xL ⊕ Fi,SK (xR )). The inverse Feistel transformation can be computed in a similar manner. Our PRF protocol outputs shares of a random group element in GQ . Meanwhile, we need a sharing of a random l-bit string to use in the Feistel transformation. We use a deterministic extractor, which does not lose any entropy, to extract l bits of randomness. In the centralized setting, given PRF output y˜ ∈ GQ , we can simply compute its square root by letting y = (˜ y (P +1)/4 mod P ) mod 2l (see also Figure 1). To distribute the extractor, we use a distributed exponentiation protocol followed by a conversion into bit shares. Notice that if we have shares of Q bits xi , yi ∈ {0, 1}, denoted by [xi ]Q j and [yi ]j , we can compute a share of their Q Q Q Q Q exclusive-OR as [zi ]j ← [xi ]j + [yi ]j and [zi ]Q j ← MUL([zi ]j , 2 − [zi ]j mod Q). Therefore, given bit shares of a 2l-bit input (xL , xR ), we can readily compute bit shares of a Feistel transformation: Algorithm 3: One round of Feistel transformation Q Q Q FEISTEL([i]Q , [SK] , [x ] , . . . , [x ] ). 1 j 2l j j j

1 2 3 4 5 6 7 8 9

Q Q Q Q [˜ y ]P BPRF value at xR . j ← PRF-DY([i]j , [SK]j , [xl+1 ]j , . . . , [x2l ]j ) [y]P y ]P BExtract square root y (p+1)/4 mod P . j , (P + 1)/4) j ← EXP2 ([˜ Q Q P ([y1 ]j , . . . , [yl ]j ) ← BITS([y]j , l, ZQ ) BTruncate to l bits. for i ← 1 to l (in parallel) BFor all bits i do Q Q [zi ]Q j ← [xi ]j + [yi ]j mod Q Q Q [zi ]j ← MUL([zi ]j , 2 − [zi ]Q BWe compute a share of xi ⊕ yi . j mod Q) end Q Q Q BReturn shares of return ([xl+1 ]Q j , . . . , [x2l ]j , [z1 ]j , . . . , [zl ]j ) DY (xR , xL ⊕ FSK (xR )).

Security follows from composition theorem and security of its subprotocols. The protocol requires O(1) rounds of communication between servers, because the for-loop is computed in parallel, and all other primitives take O(1) rounds. The bit complexity is dominated by a call to the PRF-DY protocol in line 1 and by l = o(m) calls to MUL in line 7, yielding O((mn + m log m)B) bit operations per player.

4.3

Distributed Luby-Rackoff Construction

Once we have a distributed protocol for the Feistel transformation, it is easy to distribute the Luby-Rackoff construction of PRP gs (x) = Ψ (F1 , F2 , F3 , F4 )(x). Initially, the n servers own shares of four independently chosen secret keys for the PRFs. These keys may either be jointly generated by servers or distributed to servers by a trusted party. An untrusted user, who wants to evaluate the PRP on input x = (xL , xR ), broadcasts x to the servers.8 The servers convert x into bit shares and then run the distributed Feistel transformation for four rounds. We thus get: Q Q Q Algorithm 4: LUBY-RACKOFF(([i1 ]Q j , [SK1 ]j ), . . . , ([i4 ]j , [SK4 ]j ), x)

[0]Q BShares of zero. j ← JRPZ(ZQ ) for i ← 1 to 2l (in parallel) BLocally compute shares of input’s bits. do Q [yi ]Q j ← [0]j + xi mod Q end for rnd ← 1 to 4 BRun the Feistel transformation for four rounds. do Q Q Q Q Q ([y1 ]Q j , . . . , [y2l ]j ) ← FEISTEL([irnd ]j , [SKrnd ]j , [y1 ]j , . . . , [y2l ]j ) end Q return ([y1 ]Q j , . . . , [y2l ]j )

1 2 3 4 5 6 7 8 9 10

The round complexity is O(1). Bit complexity is dominated by four calls to the Feistel protocol, which take O((mn + m log m)B) bit operations per player. Similarly, we can distribute the inverse permutation gs−1 (·) by replacing calls to Feistel transforms with calls to inverse Feistel transforms. We denote the resulting protocol by LUBY-RACKOFF−1 . The round and bit complexity remain the same. 4.4

Security

In the stand-alone case, the security of a PRP gs (·) : {0, 1}2l 7→ {0, 1}2l is formalized via a game between an attacker and an oracle. The attacker can query the oracle for gs (·) and gs−1 (·) on messages of his choice. Roughly, the PRP is deemed secure if no attacker can tell apart gs (x∗ ) from random for any message x∗ , which was not asked as a query. In the distributed setting, the attacker also gets transcripts of semi-honest servers. The security property of threshold PRP states that these transcripts do not help the attacker in any way. Formally, for any PPT A = (A1 , A2 ) that breaks the security of threshold PRP by corrupting servers Pi1 , . . . , Piτ , there exists a PPT B = (B1 , B2 ) that breaks the security of the original PRP. 8

Alternatively, the user can split x into bit shares himself.

The attacker A learns key shares of corrupted servers. Then A1 runs in the first stage where it can interact with any honest servers on inputs of his choice. Attacker can ask servers either encryption queries where he learns shares of gs (x) or decryption queries for gs−1 (y). At the end of the phase, A1 outputs state information for A2 and a challenge input x∗ , whose PRP value was not asked as a query. In the second stage, a random coin b ∈ {0, 1} is tossed. A2 $

receives a challenge Γb , which is either Γ0 ← gs (x∗ ) or Γ1 ← {0, 1}2l . We let A2 interact with honest servers, but prohibit it from asking encryption queries on x∗ or decryption queries on Γb . Finally, A2 outputs a guess b0 . We say that A breaks the scheme if Pr[b = b0 ] > 1/2 + negl (k).   -secure threshold pseudo-random Theorem 3. LUBY-RACKOFF protocol is an n−1 2 permutation in the static, honest-but-curious setting. Proof (sketch). In the honest-but-curious setting, LUBY-RACKOFF protocol correctly computes a permutation gs (x) = Ψ (F1 , F2 , F3 , F4 )(x) for some secret key s = ((i1 , SK1 ), . . . , (i4 , SK4 )). We thus concentrate on the pseudorandomness property. For sake of contradiction, suppose there exists adversary A = (A1 , A2 ) that breaks the security of LUBY-RACKOFF. Since A is static, we assume it corrupts the maximum allowed threshold of servers before the protocol starts9 . By symmetry, we can assume corrupt servers Pj have indices Bad = {1, . . . , τ }. Bad servers learn their shares of secret key s. They also observe the protocol’s input x, output y = gs (x), shares of output’s bits y1 , . . . , y2l of both good and bad servers, and all messages Ξ exchanged during the protocol. The adversarial view viewLuby, A is thus a random variable D E Q Q Q Q Q ([i1 ]Q , [SK ] ), . . . , ([i ] , [SK ] ), x, y, [y ] , . . . , [y ] , Ξ 1 4 4 1 2l j j k k k k for j = 1, . . . , n and k ∈ Bad. We construct a simulator B = (B1 , B2 ) that breaks the security of a PRP gs (·). It will run A in a virtual distributed environment and imitate A’s replies to distinguish gs (·) from a random permutation, thereby violating Theorem 2. Setup: Algorithm B generates random shares of keys for corrupt servers. For j ∈ Bad, it picks Q Q Q $ ∗ ∗ ([i1 ]Q j , [SK1 ]j ), . . . , ([i4 ]j , [SK4 ]j ) ← ZQ × ZQ and gives them to A. Responding to queries: When A initiates an honest server Pj (j 6∈ Bad) on input x, B in turn asks his oracle for y = gs (x). It generates random output $

Q ∗ shares [z1 ]Q j , . . . , [z2l ]j ← ZQ for j ∈ Bad. Then, B augments the set of shares of corrupted servers into a full and random sharing of y’s bits. For each bit yi ∈ {0, 1} (1 ≤ i ≤ 2l), B picks a random polynomial αi (x) ∈ ZQ [X] satisfying αi (j) = [zi ]Q j and αi (0) = yi . The adversary A receives randomized output shares (α1 (j), . . . , α2l (j)) for all servers Pj (1 ≤ j ≤ n). 9

If not, we can arbitrarily fix some of the honest servers to be corrupt.

In the semi-honest setting, we can simulate the transcript of each subprotocol used by LUBY-RACKOFF given its input and output values. We can thus use these protocols as black-boxes and simulate messages Ξ in ViewLuby, A . These values provide a perfect simulation of the coalition’s view. Decryption queries are handled just like encryption queries except B queries another oracle gs−1 (·). Challenge: Eventually, attacker A outputs a message x∗ on which it wants to be challenged. It claims to be able to distinguish output of LUBY-RACKOFF(x∗ ) from a random 2l-bit string. B sends the same challenge x∗ to the trusted party and gets back Γ , which is either gs (x∗ ) or a random string. Finally, B gives Γ to A. Guess: Attacker A continues to issue queries for messages other than x∗ . Simulator B responds to queries as before. Finally, A outputs a guess b0 ∈ {0, 1}, which B also returns as its guess. t u An adversary who controls less than τ = b(n − 1)/2c servers cannot break the privacy of our protocol. The protocol can easily be amended to achieve proactive security [31] and withstand the compromise of even all servers as long as at most τ servers are corrupted during each time period. The basic idea is to have servers periodically refresh their shares of the input and the secret keys. To be exact, each server Pj will from time to time execute the JRPZ protocol to generate a random share of zero, called [0]Q j . It will then update its input share Q Q Q Q Q to [x]j ← [x]j + [0]j and its secret keys’ shares to [SKi ]Q j ← [SKi ]j + [0]j .

5

Distributed Exponentiation

We describe how to distribute the computation of xy mod P . Earlier papers by Damg˚ ard et al. [15] and Shoup et al. [1] sketched how to implement distributed exponentiation for some of these scenarios. Unlike prior constructions, in our schemes the modulus P is publicly known rather than shared among the parties; this leads to simpler and more efficient protocols. We also allow the base and the exponent to be shared over different moduli P and Q.

5.1

Base x known, exponent y shared.

We can rewrite: Pl−1

xy = x

i=0

2i yi

=

l−1 Y i=0

 i yi x2 + 1 − yi mod P.

Algorithm 5: Protocol EXP1 (x, [y]Q j ): Base x is publicly known and exponent y is given as shares. 1 2 3

Q P ([y1 ]P BObtain shares of exponent’s bits. j , . . . , [yl ]j ) ← BITS([y]j , ZP ). for i ← 1 to l (in parallel) do P 2i−1 + (1 − [yi ]P [zi ]P j ← [yi ]j · x j ) mod P Bsquare-and-multiply algorithm

used to compute x2 4 5 6

i

end P P [z]P j ← MUL([z1 ]j , . . . , [zl ]j ) return [z]P j

BCompute the product using Bunbounded fan-in multiplication protocol.

The cost of the protocol is dominated by the bit conversion protocol. Its bit complexity is O((mn + m log m)B) and its round complexity is O(1).

5.2

Base x shared, exponent y publicly known.

Damg˚ ard et al. [15] sketched how xy mod P can be computed in this scenario for any x 6= 0. Below, we give a detailed protocol implementing his idea. Algorithm 6: EXP2 ([x]P j , y): Base x is given as shares, while exponent is publicly known. $

2 1 3 4 5 6 7 8

rj ← Z∗P ; tj ← rjy mod P RANDSS(rj ) ; RANDSS(tj ) P upon receiving (([r1 ]P j , . . . , [rn ]j ) P P [r]P j ← MUL([r1 ]j , . . . , [rn ]j ) P P P [t]j ← MUL([t1 ]j , . . . , [tn ]j ) P P [z]P j ← MUL([x]j , [r]j ) send([z]P j ) to all players

BChoose a blinding factor rj and rjy . BShare rj and tj between players.

∧

P ([t1 ]P j , . . . , [tn ]j )):

BA jointly generated random r Band t = ry . BThis is a blinded share of xr, Bwhich we can reveal.

12

P upon receiving ([z]P 1 , . . . , [z]n ): Pτ P z ← j=1 λj [z]j mod P . w ← z y mod P RANDSS(w )

13

−1 P return MUL([w]P = (xr)y · (ry )−1 = xy mod P . j , INV([t]j )) BA share of z · t

9 10 11

BInterpolate shares to get z = xr.

Share w = (xr)y between players.

This protocol is easily seen private as long as x 6= 0. It runs in O(1) rounds. The running time is dominated by calls to multiplication protocol in lines 5-7 and by computation of Shamir secret sharing in lines 2-3. The bit complexity is thus O(m3 + nB).

5.3

Base x shared, exponent y shared.

Combining the above two protocols yields an exponentiation protocol where both the base and the exponent are shared. Essentially, the protocol is the same as EXP1 except in line 5, we replace local multiplication with a call to distributed multiplication algorithm MUL. We also need to use EXP2 to compute the shares i of x2 for i = 1, . . . , l. The final algorithm is as follows. Q Algorithm 7: Protocol EXP([x]P j , [y]j ): Both the base and the exponent are given as shares. 1

Q P ([y1 ]P j , . . . , [yl ]j ) ← BITS([y]j , ZP ). BObtain shares of exponent’s l = blog Qc

bits. 2 3 4 5 6 7

for i ← 1 to l (in parallel) do i P i−1 [s]P mod Q) Bs is a share of x2 . j ← EXP2 ([x]j , 2 2i P P P [zi ]P j ← MUL([yi ]j , [s]j ) + (1 − [yi ]j ) mod P BA share of yi x + (1 − yi ). end P P [z]P BCompute the product using j ← MUL([z1 ]j , . . . , [zl ]j ) P return [z]j Bunbounded fan-in multiplication protocol.

This protocol also runs in O(1) rounds. The protocol performs l invocations of EXP2 and a single invocation of BITS and MUL; hence, it requires O(m4 +(mn+ m log m)B) bit operations per player.

6

Applications of Our Construction

In this paper, we have constructed a threshold pseudorandom permutation. Whenever a PRP is used as part of the construction, we can plug in our protocol instead. Let gs : {0, 1}2l 7→ {0, 1}2l be a 2l-bit pseudo-random permutation obtained from the Luby-Rackoff construction Ψ (F1 , F2 , F3 , F4 ). The PRP’s key s consists of four secret keys SKi of pseudo-random functions Fi used in the construction. We denote by LUBY-RACKOFF our distributed protocol, which evaluates the gs (·). 6.1

CCA-Secure Symmetric Encryption

A PRP is deterministic, so by itself it cannot be a secure encryption scheme [28]. The adversary can easily detect if the same message has been encrypted twice. Desai [18] described how a CCA-secure symmetric encryption scheme can be obtained from a PRP: The encryption Es (m) of a (2l − k)-bit message m is defined as Es (m) = gs (m, r), where r is a k-bit randomly generated nonce. To decrypt, the user computes Ds (c) = gs−1 (c) and extracts the message. To distribute the computation, the key s is split into shares among the n servers. Upon receiving a message m, the servers run the JRP protocol to generate shares of a secret Q random number r. They can extract shares of k bits, written [r1 ]Q j , . . . , [rk ]j ,

using the BITS protocol. Bit shares of m are easy to compute since m is public. FiQ Q Q nally, the servers invoke LUBY-RACKOFF on ([m1 ]Q j , . . . , [m2l−k ]j , [r1 ]j , . . . , [rk ]j ) to get shares of gs (m, r). 6.2

Authenticated Encryption

If we make the nonce r public and check during decryption that it matches the nonce in the ciphertext, then we get a distributed authenticated encryption scheme (AE). Encryption of m is given by AE s (m) = (r, gs (m, r)). The decryption algorithm ADs (r0 , c) computes (r, m) = gs−1 (c) and checks that r = r0 before returning m to the user. The message here is rather short: It is limited to (2l −k) bits by the length of the PRP. For longer messages, we can use an amplification paradigm of Dodis and An [23]: We compute a concealment (b, h) of message m (|b|  |m|), which is a specialized publicly known transformation. In fact, we can even implement distributed remotely keyed authenticated encryption (RKAE) [7], where the servers do not need to perform any checks and just serve as PRP oracles for an untrusted user. The secret key s is split into shares among several computationally bounded smartcards, and an insecure, powerful host performs most of computations. The insecure host computes a concealment (b, h) of m and sends it to the smartcards, who run the LUBY-RACKOFF protocol, and return shares of gs (b). 6.3

Cipherblock Chaining Mode

We often need to encrypt messages that are longer than 2l bits. The message m is usually split into blocks (m1 , . . . , mk ) each of length 2l. Then a PRP may be used in cipher block chaining (CBC) mode [35], which initializes c0 with a random 2l-bit string and sets ci = gs (ci−1 ⊕ mi ) for i = 1, . . . , k. The encryption of m is defined to be (c0 , c1 , . . . , ck ). To decrypt, the user can compute mi = gs−1 (ci ) ⊕ ci−1 . The servers own shares of secret key s. The untrusted user broadcasts message m to the servers. We must be careful to guard against the blockwise adaptive attacks [32]; hence, we require the user to send an entire message m. The servers run the JRP protocol to generate a random shared number from which shares of a 2l-bit c0 are extracted. For i = 1, . . . , k rounds, the servers distributively XOR shares of ci−1 and mi (as in Section 4.3), and then run the LUBY-RACKOFF protocol on the result. 6.4

Variable Input Block Ciphers

Existing block ciphers operate on blocks of fixed length (FIL). Often, one needs a block cipher that can operate on inputs of variable length (VIL). There exist centralized constructions for VIL ciphers, which use a FIL block cipher as a black box: most notably, CMC [30], EME∗ [29] and an unbalanced Feistel network [39]. Our threshold PRP enables us to distribute the computation of these modes. Besides basic arithmetic operations, these modes XOR the ciphertexts (to distribute, we would use BITS), evaluate the fixed-length block cipher

(LUBY-RACKOFF), compute the universal hash function ha,b (x) = ax + b (MUL), and truncate the outputs (BITS).

7

Conclusion

We gave a simple construction of a threshold PRP in the semi-honest model. Our scheme is fairly practical. PRPs are commonly used tools in protocol design. Our techniques enable distributing many protocols (using PRPs), which until now only existed in the centralized setting. In particular, we showed how to distribute the computation of a CBC encryption mode and a remotely keyed authenticated encryption scheme. One open problem is whether we could use group multiplication to implement the distributed Feistel transformation rather than having to convert group elements into bit strings and avoid using the expensive protocol by Damg˚ ard et al. [16] altogether.

8

Acknowledgments

We thank Tomas Toft for his explanation of the bit conversion protocol.

References 1. J. Algesheimer, J. Camenisch, and V. Shoup. Efficient computation modulo a shared secret with applications to the generation of shared safe prime products. In Advances in Cryptology - Proceedings of CRYPTO 2002, volume 2442 of Lecture Notes in Computer Science, pages 417–432. Springer-Verlag, 2002. 2. E. Bach. Analytic Methods in the Analysis and Design of Number-Theoretic Algorithms. A.C.M. Distinguished Dissertations. MIT press, Cambridge, MA, 1985. 3. J. Bar-Ilan and D. Beaver. Non-cryptographic fault-tolerant computing in a constant number of rounds. In Proceedings of the ACM Symposium on Principles of Distributed Computation, pages 201–209, 1989. 4. D. Beaver, S. Micali, and P. Rogaway. The round complexity of secure protocols. In Proceedings of the 22nd Annual ACM Symposium on the Theory of Computing, pages 503–513, 1990. 5. M. Ben-or, S. Goldwasser, and A. Wigderson. Completeness theorems for noncryptographic fault-tolerant distributed computing. In Proceedings of the 20th Annual ACM Symposium on the Theory of Computing, pages 1–10, 1988. 6. E. Biham. A fast new DES implementation in software. In Fast Software Encryption - Fourth International Workshop, volume 1267 of Lecture Notes in Computer Science, pages 260–272. Springer-Verlag, 1997. 7. M. Blaze, J. Feigenbaum, and M. Naor. A formal treatment of remotely keyed encryption. In Advances in Cryptology - Proceedings of EUROCRYPT 98, Lecture Notes in Computer Science, pages 251–265. Springer-Verlag, 1998. 8. D. Boneh and M. K. Franklin. Efficient generation of shared RSA keys. Journal of the Association for Computing Machinery, 48(4):702–722, 2001.

9. E. F. Brickell, G. D. Crescenzo, and Y. Frankel. Sharing block ciphers. In E. Dawson, A. Clark, and C. Boyd, editors, ACISP, volume 1841 of Lecture Notes in Computer Science, pages 457–470. Springer, 2000. 10. C. Cachin, K. Kursawe, F. Petzold, and V. Shoup. Secure and efficient asynchronous broadcast protocols. In Advances in Cryptology - Proceedings of CRYPTO 2001, volume 2139 of Lecture Notes in Computer Science, pages 524–541. SpringerVerlag, 2001. 11. R. Canetti. Universally composable security: A new paradigm for cryptographic protocols. In Proceedings of the 42nd IEEE Symposium on Foundations of Computer Science, pages 136–145, 2001. 12. D. Catalano, R. Gennaro, and S. Halevi. Computing inverses over a shared secret modulus. In Advances in Cryptology - Proceedings of EUROCRYPT 2000, volume 1807 of Lecture Notes in Computer Science, pages 190–206. Springer-Verlag, 2000. 13. D. Coppersmith, A. M. Odlyzko, and R. Schroeppel. Discrete logarithms in GF(p). Algorithmica, 1(1):1–15, 1986. 14. I. Damg˚ ard. Collision free hash functions and public key signature schemes. In Advances in Cryptology - Proceedings of EUROCRYPT 87, Lecture Notes in Computer Science, pages 203–216. Springer-Verlag, 1987. 15. I. Damg˚ ard, M. Fitzi, E. Kiltz, J. B. Nielsen, and T. Toft. Unconditionally secure constant-rounds multi-party computation for equality, comparison, bits and exponentiation. In Third Theory of Cryptography Conference, 2006. To appear. 16. I. Damg˚ ard and Y. Ishai. Constant-round multiparty computation using a blackbox pseudorandom generator. In Advances in Cryptology - Proceedings of CRYPTO 2005, volume 3621 of Lecture Notes in Computer Science, pages 378–394. SpringerVerlag, 2005. 17. I. Damg˚ ard and M. Jurik. A generalisation, a simplification and some applications of Paillier’s probabilistic public-key system. In Fourth International Workshop on Practice and Theory in Public Key Cryptography, pages 119–136, 2001. 18. A. Desai. New paradigms for constructing symmetric encryption schemes secure against chosen-ciphertext attack. In Advances in Cryptology - Proceedings of CRYPTO 2000, pages 394–412, 2000. 19. Y. Desmedt. Society and group-oriented cryptography: a new concept. In Advances in Cryptology - Proceedings of CRYPTO 87, pages 120–127, 1987. 20. Y. Desmedt. Some recent research aspects of threshold cryptography. In First International Workshop On Information Security, pages 158–173, 1997. 21. Y. Desmedt and Y. Frankel. Threshold cryptosystems. In Advances in Cryptology - Proceedings of CRYPTO 89, pages 307–315, 1989. 22. Y. Desmedt and Y. Frankel. Shared generation of authenticators and signatures. In Advances in Cryptology - Proceedings of CRYPTO 91, pages 457–469, 1991. 23. Y. Dodis and J. H. An. Concealment and its applications to authenticated encryption. In Advances in Cryptology - Proceedings of EUROCRYPT 2003, volume 2656 of Lecture Notes in Computer Science, pages 312–329. Springer-Verlag, 2003. 24. Y. Dodis and A. Yampolskiy. A verifiable random function with short proofs and keys. In Eighth International Workshop on Theory and Practice in Public Key Cryptography, pages 416–431, 2005. 25. R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Secure distributed key generation for discrete-log based cryptosystems. In Advances in Cryptology - Proceedings of EUROCRYPT 99, pages 295–310, 1999. 26. R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Robust threshold DSS signatures. Inf. Comput., 164(1):54–84, 2001.

27. O. Goldreich, S. Goldwasser, and S. Micali. How to construct random functions. Journal of the Association for Computing Machinery, 33:792–807, 1986. 28. S. Goldwasser and S. Micali. Probabilistic encryption and how to play mental poker keeping secret all partial information. In Proceedings of the 14th Annual ACM Symposium on the Theory of Computing, pages 270–299, 1982. 29. S. Halevi. EME∗ : Extending EME to handle arbitrary-length messages with associated data. In Advances in Cryptology - Proceedings of INDOCRYPT 2004, pages 315–327, 2004. 30. S. Halevi and P. Rogaway. A tweakable enciphering mode. In Advances in Cryptology - Proceedings of CRYPTO 2003, pages 482–499, 2003. 31. A. Herzberg, S. Jarecki, H. Krawczyk, and M. Yung. Proactive secret sharing or: How to cope with perpetual leakage. In Advances in Cryptology - Proceedings of CRYPTO 95, pages 339–352, 1995. 32. A. Joux, G. Martinet, and F. Valette. Blockwise-adaptive attackers. revisiting the (in)security of some provably secure encryption modes: CBC, GEM, IACBC. In Advances in Cryptology - Proceedings of CRYPTO 2002, volume 2442 of Lecture Notes in Computer Science, pages 17–30. Springer-Verlag, 2002. 33. M. Luby and C. Rackoff. How to construct pseudorandom permutations from pseudorandom functions. SIAM Journal of Computing, 17:373–386, 1988. 34. K. M. Martin, R. Safavi-Naini, H. Wang, and P. R. Wild. Distributing the encryption and decryption of a block cipher. Designs, Codes, and Cryptography, 2005. to appear. 35. A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone. Handbook of applied cryptography. CRC press LLC, Boca Raton, FL, 1997. 36. M. Naor, B. Pinkas, and O. Reingold. Distributed pseudo-random functions and KDCs. In Advances in Cryptology - Proceedings of EUROCRYPT 99, volume 1592 of Lecture Notes in Computer Science, pages 327–346. Springer-Verlag, 1999. 37. M. Naor and O. Reingold. Number-theoretic constructions of efficient pseudorandom functions. In Proceedings of the 38th IEEE Symposium on Foundations of Computer Science, pages 458–467, 1997. 38. J. B. Nielsen. A threshold pseudorandom function construction and its applications. In Advances in Cryptology - Proceedings of CRYPTO 2002, volume 2442 of Lecture Notes in Computer Science, pages 401–416. Springer-Verlag, 2003. 39. S. Patel, Z. Ramzan, and G. S. Sundaram. Efficient constructions of variable-inputlength block ciphers. In Selected Areas in Cryptography 2004, pages 326–340, 2004. 40. T. P. Pedersen. A threshold cryptosystem without a trusted party. In Advances in Cryptology - Proceedings of EUROCRYPT 91, pages 522–526, 1991. 41. T. Rabin. A simplified approach to threshold and proactive RSA. In Advances in Cryptology - Proceedings of CRYPTO 98, pages 89–104, 1998. 42. T. Rabin and M. Ben-Or. Verifiable secret sharing and multiparty protocols with honest majority. In Proceedings of the 21th Annual ACM Symposium on the Theory of Computing, pages 73–85, 1989. 43. A. Shamir. How to share a secret. Communications of the ACM, 22(11):612–613, 1979. 44. A. Yao. Protocols for secure computation (extended abstract). In Proceedings of the 23rd IEEE Symposium on Foundations of Computer Science, pages 160–164, 1982.